Assessing and managing computational risk involved with integrating third party computing functionality within a computing system

ABSTRACT

In general, various aspects of the present disclosure provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for addressing a modified risk rating identifying a risk to an entity of having computer-implemented functionality provided by a vendor integrated with a computing system of the entity. In accordance various aspects, a method is provided that comprises: receiving a first assessment dataset for computer-implemented functionality; detecting an inconsistency between a value of an attribute for the computer-implemented functionality specified in the first assessment dataset and a corresponding value of the attribute specified in a second assessment dataset for the computer-implemented functionality; modifying a risk rating that identifies a risk to the entity of having the computer-implemented functionality integrated with the computing system to generate a modified risk rating based on the inconsistency; and in response, performing an action with respect to the computing system to address the modified risk rating.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 63/176,185, filed Apr. 16, 2021, which is herebyincorporated herein by reference in its entirety.

TECHNICAL FIELD

The present disclosure is generally related to data processing systemsand methods for assisting entities in a manner to ensure proper accesscontrol, usage control, and protection of data involved withcomputer-implemented functionality provided by a vendor from maliciouslycaused destruction, unauthorized modification, or unauthorizeddisclosure.

BACKGROUND

Significant technical challenges are often encountered by entities(e.g., organizations, companies, institutes, and/or the like) withrespect to integrating computing systems of the entities withcomputer-implemented functionality (e.g., services, softwareapplications, computing system capacity, and/or the like) provided byindependent third party entities, also referred to as vendors. Forexample, a particular entity may use a computing system in supporting ane-commerce website. Here, the entity may integrate computer-implementedfunctionality in the form of a service with the computing system that isprovided through a vendor to validate the identity of visitors to awebsite. Visitors to the website may provide identifying informationthat the computing system submits to the integrated service to validatethe visitors' identities. For example, the service may be provided in asoftware-as-a-service environment. Therefore, the integration of theservice in the computing system may involve installing an applicationprogramming interface (API) within the computing system to provideaccess to the service over a network such as the Internet.

However, an entity's integration of the service with its computingsystem can expose the computing system to significant risk. For example,installing the API within the computing system can provide a channel fora nefarious third-party to gain access to the computing system throughthe vendor's service. Such access can expose the computing system toexperiencing a data breach, being hacked, having malware (e.g., a virusand/or ransomware) installed within the computing system, and/or thelike. Therefore, any entity that is onboarding computer-implementedfunctionality provided through a vendor with a computing system of theentity must be able to recognize, manage, and mitigate risks associatedwith such integration in an effective manner to ensure integrity of thecomputing system is maintained. Accordingly, a need exists in the artfor improved systems and methods to facilitate and assist an entity insuccessfully recognizing, managing, and mitigating risks associated withintegrating computing systems of the entity with computer-implementedfunctionality (e.g., services, software applications, computing systemcapacity, and/or the like) provided by vendors.

SUMMARY

In general, various aspects of the present disclosure provide methods,apparatuses, systems, computing devices, computing entities, and/or thelike for addressing a modified risk rating identifying a risk to a firstentity of having computer-implemented functionality provided by a vendorintegrated with a computing system of the first entity. In accordancevarious aspects, a method is provided that comprises: receiving, bycomputing hardware, a first assessment dataset for computer-implementedfunctionality provided by a vendor, wherein the computer-implementedfunctionality is integrated with a computing system of a first entity;accessing, by the computing hardware, a second assessment dataset forthe computer-implemented functionality provided by the vendor from adata repository that stores risk assessment data on a plurality ofcomputer-implemented functionality provided by different vendors;detecting, by the computing hardware, an inconsistency between a valueof an attribute for the computer-implemented functionality that isspecified in the first assessment dataset and a corresponding value ofthe attribute that is specified in the second assessment dataset;modifying, by the computing hardware, a risk rating to generate amodified risk rating for the vendor based on the inconsistency, whereinthe modified risk rating identifies a risk to the first entity of havingthe computer-implemented functionality integrated with the computingsystem and the modified risk rating moves the vendor from a first risktier for the first entity to a second risk tier for the first entity;and responsive to moving the vendor to the second risk tier for thefirst entity, performing an action with respect to the computing systemof the first entity to address the modified risk rating, wherein theaction is defined for the second risk tier for the first entity.

In some aspects, the action comprises sending, by the computinghardware, an electronic notification to personnel of the first entitythat identifies the inconsistency and the attribute for thecomputer-implemented functionality. In some aspects, the actioncomprises sending, by the computing hardware, an electronic notificationto personnel of the vendor that identifies the inconsistency and theattribute for the computer-implemented functionality. In some aspects,the action comprises causing, by the computing hardware, thecomputer-implemented functionality to be disabled in the computingsystem.

In some aspects, the computer-implemented functionality comprises aservice provided by the vendor used by the computing system. Here, forexample, integrating the computer-implemented functionality with thecomputing system comprises installing an application programminginterface (API) in the computing system to call the service anddisabling the computer-implemented functionality comprises disabling theAPI from calling the service.

In some aspects, the computer-implemented functionality is integratedwith a second computing system of a second entity that is different fromthe first entity. Here, the modified risk rating identifies a risk tothe second entity of having the computer-implemented functionalityintegrated with the second computing system and the modified risk ratingmoves the vendor from a first risk tier for the second entity to asecond risk tier for the second entity and the method further comprises,responsive to moving the vendor to the second risk tier for the secondentity, performing a second action with respect to the second computingsystem of the second entity to address the modified risk rating, whereinthe second action is defined for the second risk tier for the secondentity.

In some aspects, the computer-implemented functionality is integratedwith a second computing system of a second entity that is different fromthe first entity. Here, the method further comprises: modifying, by thecomputing hardware, a second risk rating to generate a second modifiedrisk rating for the vendor based on the inconsistency, wherein: themodified risk rating is unique to the first entity, the second modifiedrisk rating is unique to the second entity and identifies a risk to thesecond entity of having the computer-implemented functionalityintegrated with the second computing system, and the second modifiedrisk rating moves the vendor from a first risk tier for the secondentity to a second risk tier for the second entity; and responsive tomoving the vendor to the second risk tier for the second entity,performing a second action with respect to the second computing systemof the second entity to address the second modified risk rating, whereinthe second action is defined for the second risk tier for the secondentity.

In some aspects, the method further comprises identifying, by thecomputing hardware, the value for the attribute based on a mapping of afirst question/answer pairing provided in the first assessment dataset,wherein the first question/answer pairing comprises a first questionprovided in a first questionnaire filled out by the vendor and a firstanswer provided by the vendor to the first question, and the valuecomprises the first answer; and identifying, by the computing hardware,the corresponding value for the attribute based on a mapping of a secondquestion/answer pairing provided in the second assessment dataset,wherein the second question/answer pairing comprises a second questionprovided in a second questionnaire filled out by the vendor and a secondanswer provided by the vendor to the second question, and thecorresponding value comprises the second answer.

In accordance with various aspects, a system is provided comprising anon-transitory computer-readable medium storing instructions and aprocessing device communicatively coupled to the non-transitorycomputer-readable medium. In particular aspects, the processing deviceis configured to execute the instructions and thereby perform operationsthat comprise: accessing a first assessment dataset and a secondassessment dataset for computer-implemented functionality provided by avendor from a data repository that stores risk assessment data on aplurality of computer-implemented functionality provided by differentvendors, wherein the computer-implemented functionality is integratedwith a computing system of a first entity; detecting an inconsistencybetween a value of an attribute for the computer-implementedfunctionality that is specified in the first assessment dataset and acorresponding value of the attribute that is specified in the secondassessment dataset; modifying a risk rating to generate a modified riskrating for the vendor based on the inconsistency, wherein the modifiedrisk rating identifies a change in risk to the first entity of havingthe computer-implemented functionality integrated with the computingsystem; and responsive to modified risk rating, performing an actionwith respect to the computing system of the first entity to address thechange in risk.

In some aspects, the action comprises sending an electronic notificationto personnel of the first entity that identifies the inconsistency andthe attribute for the computer-implemented functionality. In someaspects, the action comprises sending an electronic notification topersonnel of the vendor that identifies the inconsistency and theattribute for the computer-implemented functionality. In some aspects,the action comprises causing the computer-implemented functionality tobe disabled in the computing system.

In some aspects, the computer-implemented functionality comprises aservice provided by the vendor used by the computing system. Here, forexample, integrating the computer-implemented functionality with thecomputing system comprises installing an application programminginterface (API) in the computing system to call the service anddisabling the computer-implemented functionality comprises disabling theAPI from calling the service.

In some aspects, the computer-implemented functionality is integratedwith a second computing system of a second entity that is different fromthe first entity. Here, the modified risk rating identifies a change inrisk to the second entity of having the computer-implementedfunctionality integrated with the second computing system and themodified risk rating moves the vendor from a first risk tier for thesecond entity to a second risk tier for the second entity and theoperations further comprise, responsive to the modified risk rating,performing a second action with respect to the second computing systemof the second entity to address the change in risk to the second entity.

In some aspects, the computer-implemented functionality is integratedwith a second computing system of a second entity that is different fromthe first entity. Here, the operations further comprise: modifying asecond risk rating to generate a second modified risk rating for thevendor based on the inconsistency, wherein: the modified risk rating isunique to the first entity, the second modified risk rating is unique tothe second entity and identifies a change in risk to the second entityof having the computer-implemented functionality integrated with thesecond computing system; and responsive to the second modified risk,performing a second action with respect to the second computing systemof the second entity to address the change in risk to the second entity.

In some aspects, the operations further comprise: identifying the valuefor the attribute based on a mapping of a first question/answer pairingprovided in the first assessment dataset, wherein the firstquestion/answer pairing comprises a first question provided in a firstquestionnaire filled out by the vendor and a first answer provided bythe vendor to the first question, and the value comprises the firstanswer; and identifying the corresponding value for the attribute basedon a mapping of a second question/answer pairing provided in the secondassessment dataset, wherein the second question/answer pairing comprisesa second question provided in a second questionnaire filled out by thevendor and a second answer provided by the vendor to the secondquestion, and the corresponding value comprises the second answer.

In addition in accordance with various aspects, a non-transitorycomputer-readable medium having program code that is stored thereon. Inparticular aspects, the program code is executable by one or moreprocessing devices and performs operations that comprise: accessing afirst assessment dataset and a second assessment dataset forcomputer-implemented functionality provided by the vendor from a datarepository that stores risk assessment data on a plurality ofcomputer-implemented functionality provided by different vendors,wherein the computer-implemented functionality is integrated with acomputing system of a first entity; detecting an inconsistency between avalue of an attribute for the computer-implemented functionality that isspecified in the first assessment dataset and a corresponding value ofthe attribute that is specified in the second assessment dataset;modifying a risk rating to generate a modified risk rating for thevendor based on the inconsistency, wherein the modified risk ratingidentifies a risk to the first entity of having the computer-implementedfunctionality integrated with the computing system and the modified riskrating moves the vendor from a first risk tier for the first entity to asecond risk tier for the first entity; and responsive to moving thevendor to the second risk tier for the first entity, performing anaction with respect to the computing system of the first entity toaddress the modified risk rating, wherein the action is defined for thesecond risk tier for the first entity.

In some aspects, the action comprises sending an electronic notificationto at least one of personnel of the first entity or the vendor thatidentifies the inconsistency and the attribute for thecomputer-implemented functionality. In some aspects, the actioncomprises causing the computer-implemented functionality to be disabledin the computing system.

In some aspects, the computer-implemented functionality comprises aservice provided by the vendor used by the computing system. Here, forexample, integrating the computer-implemented functionality with thecomputing system comprises installing an application programminginterface (API) in the computing system to call the service anddisabling the computer-implemented functionality comprises disabling theAPI from calling the service.

BRIEF DESCRIPTION OF THE DRAWINGS

In the course of this description, reference will be made to theaccompanying drawings, which are not necessarily drawn to scale, andwherein:

FIG. 1 depicts an example of a computing environment that can be usedfor recognizing, managing, and mitigating risks associated with anentity integrating computer-implemented functionality provided byvendors with computing systems of the entity in accordance with variousaspects of the present disclosure;

FIG. 2 depicts an example of a process for modifying a risk rating for avendor in accordance with various aspects of the present disclosure;

FIGS. 3A-3D depict an example of a mapping of assessment questions tostandards, controls, and/or frameworks that can be used in accordancewith various aspects of the present disclosure;

FIG. 4 depicts an example of a process for generating a dynamicassessment completed by a vendor in accordance with various aspects ofthe present disclosure;

FIG. 5 depicts an example of a process for placing vendors in tiers inaccordance with various aspects of the present disclosure;

FIG. 6 depicts an example of a process for processing vendors forvarious tiers in accordance with various aspects of the presentdisclosure;

FIG. 7 depicts an example of a process for generating a customized riskrating of a vendor for an entity in accordance with various aspects ofthe present disclosure;

FIG. 8 depicts an example of a listing of assessment questions relatedto an entity's use of a particular vendor that can be used in accordancewith various aspects of the present disclosure;

FIG. 9 depicts an example of a process for modifying a risk rating of avendor for an entity in accordance with various aspects of the presentdisclosure;

FIG. 10 provides an example of a graphical user interface that can beused in accordance with various aspects of the present disclosure;

FIG. 11 depicts an example of a system architecture that may be used inaccordance with various aspects of the present disclosure; and

FIG. 12 depicts an example of a computing entity that may be used inaccordance with various aspects of the present disclosure.

DETAILED DESCRIPTION Overview

As noted above, significant technical challenges are often encounteredby entities (e.g., organizations, companies, institutes, and/or thelike) with respect to integrating computing systems of the entities withcomputer-implemented functionality (e.g., services, softwareapplications, computing system capacity, and/or the like) provided byindependent third party entities, also referred to as vendors. Forexample, integrating computer-implemented functionality provided througha vendor with a computing system of an entity can introduce thecomputing system to vulnerabilities such as experiencing a data breach,being compromised by having malware installed on the computing system,losing functionality due to a hacker breaking into the computing systemand taking control, and/or the like.

As a specific example, an entity may subscribe to computer-implementedfunctionality in the form of a service (e.g., software-as-a-service) forproviding human resource management functionality. Here, the service maybe integrated with a computing system of the entity to provide theentity with human resource management functionality within the computingsystem. The service may need to gain access to personal data ofemployees stored within the computing system (e.g., data repositorythereof) in performing certain functionality. Therefore, the service mayneed to have credentials to gain access to the personal data. Theservice may store such credentials in a cloud computing environment thatis used in supporting the service. In addition, the computing system andservice may communicate over a network such as the Internet.Accordingly, the integration of the service with the computing systemmay involve installing an application programming interface (API) withinthe computing system to facilitate communication between the cloudcomputing environment supporting the service and the computing system.

However, the cloud computing environment supporting the service isnormally under the control of the vendor. Therefore, the entity does notgenerally have any say as to how the vendor goes about storing thecredentials in the cloud environment such as, for example, the securitycontrols that are put into place by the vendor in ensuring thecredentials are properly protected from being involved in a data-relatedincident such as a data breach. As a result, the entity's use of theservice can expose the computing system of entity to significant risk ifthe vendor is handling the credentials in a poorly secure manner. Forexample, the vendor may experience a data-related incident involving thecloud computing environment in which the credentials are stolen. Thiscan happen without the vendor's knowledge. The third-party who hasstolen the credentials may then be able to use the credentials to gainaccess to the computing system of the entity. Therefore, any entity thatis interested in integrating computer-implemented functionality providedby vendors within a computing system of the entity must be able tosuccessfully recognize, manage, and mitigate risks associated with suchintegrations.

To combat this problem, many entities will perform an assessment of avendor when considering integrating computer-implemented functionalityprovided by the vendor with a computing system of the entity. Forexample, an entity may have the vendor complete a questionnaire thatincludes questions on various attributes of the computer-implementedfunctionality that may influence an amount of risk that may be involvedin using the functionality. The entity may then evaluate the vendor'sanswers to the questions to determine a risk (e.g., risk rating)associated with integrating the computer-implemented functionality withthe entity's computing system.

However, a first drawback of performing such an assessment is that theentity's assessment may be lacking in some area that may not necessarilyidentify a particular risk (and/or level thereof) that is associatedwith the entity's integration of the vendor's computer-implementedfunctionality. For example, the questionnaire provided to the vendor maynot include the proper questions to identify the particular risk. Inaddition, the vendor may not always be accurate and/or truthful inanswering the questions provided in the questionnaire.

In addition, a second drawback of performing such an assessment is thatthe assessment may only be performed at a time when the vendor is beingconsidered for providing the computer-implemented functionality, orperformed only occasionally once the vendor has been onboarded and thevendor's computer-implemented functionality has been integrated with theentity's computing system. Therefore, any changes instituted by thevendor that may affect the risk (and/or level thereof) associated withproviding the computer-implemented functionality may not be recognizedand/or appreciated by the entity. For example, the vendor may change theidentity verification process used for controlling access to a datarepository used in storing credentials used by the vendor in accessingthe entity's computing system. As a result, the entity's computingsystem may be exposed to a risk and/or an increased level of risk due tothe change in the identity verification process that the entity isunaware of and/or does not fully appreciate.

Various aspects of the present disclosure overcome many of the technicalchallenges associated with integrating computing systems of an entitywith computer-implemented functionality (e.g., services, softwareapplications, computing system capacity, and/or the like) provided byvendors, such as those discussed above. Specifically, various aspects ofthe disclosure are directed to a computer-implemented process thatfacilitates and assists an entity in successfully recognizing, managing,and mitigating risks associated with integrating computing systems ofthe entity with computer-implemented functionality (e.g., services,software applications, computing system capacity, and/or the like)provided by vendors. In various aspects, a vendor risk managementcomputing system is used in executing the computer-implemented process.

In some aspects, the vendor risk management computing system receives afirst assessment dataset for computer-implemented functionality providedby a vendor that is to be integrated with a computing system of anentity. For example, the first assessment dataset may involvequestion/answer pairings. As a specific example, the entity, or someother entity, may provide the vendor with a questionnaire that includesquestions on the computer-implemented functionality. Personnel for thevendor may then provide answers to the questions which in turn becomethe question/answer pairings found in the first assessment dataset.

The vendor risk management computing system may access a secondassessment dataset for the computer-implemented functionality from adata repository that stores risk assessment data on a plurality ofcomputer-implemented functionality provided by different vendors. Invarious aspects, the data repository serves as a centralized data sourcefor storing assessment datasets collected on variouscomputer-implemented functionality provided by different vendors. Forexample, the different assessment datasets may be collected throughmultiple questionnaires that have been provided to the vendors duringtimes when entities are evaluating the vendors with respect tointegrating the various computer-implemented functionality withcomputing systems of the entities.

As a specific example, a first entity may be evaluating a vendor withrespect to integrating computer-implemented functionality that involvesa service provided by the entity with a computing system of the firstentity. For example, integrating the computer-implemented functionalitywith the computing system may involve installing an applicationprogramming interface (API) in the computing system to call the service.

Here, the first entity may provide the vendor with a questionnaire thatincludes questions on the vendor's computer-implemented functionality.For example, the questionnaire may include one or more questions on theaccess controls that vendor has put in place for accessing the service.In addition, the questionnaire may include one or more questions onsecurity controls that the vendor has put into place with respect tosensitive data that the service may use that is collected through thefirst entity's computing system. In turn, personnel for the vendor maythen complete the questionnaire by providing answers to the questions.Multiple personnel may complete the questionnaire so that the firstentity may receive multiple sets of answers to the questions thatresults in multiple assessment datasets. The first entity may thensubmit the assessment datasets to be stored in the data repository.

Besides the first entity, other entities that are evaluating the vendorwith respect to integrating the computer-implemented functionality withcomputing systems for the entities may do the same in submittingassessment datasets to store in the data repository. Therefore, the datarepository can be viewed as a crowdsourcing resource in that datarepository can store assessment datasets that have been collected bymultiple entities in evaluating the vendor and correspondingcomputer-implemented functionality. Accordingly, the data repository canbe used in storing assessment datasets for other computer-implementedfunctionality provided by the vendor, as well as computer-implementedfunctionality provided by other vendors. Therefore, the data repositorycan serve as a centralized data source for assessment datasets collectedby various entities in evaluating different vendors and differentcomputer-implemented functionality provided the different vendors.

In various aspects, the vendor risk management computing system detectsan inconsistency between a value of an attribute for thecomputer-implemented functionality that is specified in the firstassessment dataset and a corresponding value of the attribute that isspecified in the second assessment dataset. For example, the attributemay involve a particular process, control, procedure, function, and/orthe like the vendor has implemented in providing thecomputer-implemented functionality to various entities. Here, the vendorrisk management computing system may detect a different value has beenprovided for the attribute in the first assessment dataset and thesecond assessment dataset.

In some aspects, the vendor risk management computing system mayidentify the value for the attribute based on a mapping of a firstquestion/answer pairing provided in the first assessment dataset. Forexample, the first question/answer pairing can include a first questionprovided in a first questionnaire filled out by the vendor and a firstanswer provided by the vendor to the first question where the value isthe first answer. Likewise, the vendor risk management computing systemmay identify the corresponding value for the attribute based on amapping of a second question/answering pairing provided in the secondassessment dataset. For example, the second question/answer pairing caninclude a second question provided in a second questionnaire filled outby the vendor and a second answer provided by the vendor to the secondquestion where the value is the second answer.

In some aspects, the vendor risk management computing system modifies arisk rating for the vendor to generate a modified risk rating for thevendor based on the inconsistency. For example, the modified risk ratingidentifies a risk to the entity of having the computer-implementedfunctionality integrated with the computing system. Therefore, theentity can use the modified risk rating in determining whether to usethe vendor in providing the computer-implemented functionality tointegrate with the entity's computing system. In some instances, thevendor risk management computing system may identify the inconsistencyand generate the modified risk rating after the entity has alreadyonboarded the vendor and has already integrated the computer-implementedfunctionality with the computing system. Therefore, the vendor riskmanagement computing system may assist the entity in identifying achange in risk in using the computer-implemented functionality providedby the vendor after the entity has already started using thecomputer-implemented functionality. Furthermore, the vendor riskmanagement computing system may identify the inconsistency and generatethe modified risk rating for the entity based on assessment datasetsthat did not originate from the entity. Therefore, the vendor riskmanagement computing system may provide the entity with the benefit orrecognizing a change in risk in using the computer-implementedfunctionality based on other entities evaluation of thecomputer-implemented functionality.

The entity may have multiple computer-implemented functionality providedby various vendors with one or more computing systems of the entity. Insome aspects, the vendor risk management computing system may assist theentity in identifying, monitoring, managing, and/or the like the riskrelated to using of the multiple computer-implement functionality byplacing vendors into different risk tiers based on the risk ratingassigned to the vendors. For example, the risk tiers may include “Low,”“Medium,” “High,” and “Very High.” The risk tiers can allow personnelfor the entity to quickly recognize the risk involved in usingcomputer-implemented functionality for various vendors.

Accordingly, the modified risk rating can move the vendor from a firstrisk tier for the entity to a second risk tier for the entity. As aresult, the vendor risk management computing system may causeperformance of one or more actions with respect to the computing systemof the entity to address the modified risk rating. For example, the oneor more actions may involve sending an electronic notification, such asan email, to personnel of the entity that identifies the inconsistencyand the attribute for the computer-implemented functionality. Similarly,the one or more actions may involve sending, in addition or instead, anelectronic notification to personnel of the vendor that identifies theinconsistency and the attribute for the computer-implementedfunctionality. In another example, the one or more actions may involvedirectly affecting the use of the computer-implemented functionalitywithin the computing system such as causing the computer-implementedfunctionality to be disabled in the computing system (e.g., disablingthe API from calling the service). In some aspects, the one or moreactions are defined for the risk tier for the entity. Therefore, thevendor risk management computing system may cause the one or moreactions to be performed based on the vendor being moved from a firstrisk tier to a second risk tier.

As noted, the data repository can serve as a centralized resource forvarious assessment datasets collected by different entities on differentcomputer-implemented functionality by different vendors. Therefore, thevendor risk management computing system may assist multiple entitieswith identifying, monitoring, managing, and/or the like risk related tousing of multiple computer-implement functionality from differentvendors. For example, the computer-implemented functionality being usedby the first entity may also be integrated with a second computingsystem of a second entity that is different from the entity.Accordingly, the modified risk rating may also identify a risk to thesecond entity of having the computer-implemented functionalityintegrated with the second computing system and again, the modified riskrating may move the vendor from a first risk tier for the second entityto a second risk tier for the second entity. Therefore, like the firstentity, the vendor risk management computing system may causeperformance of one or more actions with respect to the second computingsystem of the second entity to address the modified risk rating.

In some aspects, the vendor risk management computing system may allowfor each entity to generate a customized risk rating for a particularvendor if desired. For example, the vendor risk management computingsystem may provide the first and second entities with a questionnairethat includes questions on each entity's specific integration ofcomputer-implemented functionality with the first and second computingsystems. Accordingly, the customized risk rating can be fine-tuned tothe entity's particular use of computer-implemented functionalityprovided by a vendor. Therefore, the vendor risk management computingsystem may also modify a second risk rating that is unique to the secondentity, in addition to the risk rating that is unique to the firstentity, to generate a second modified risk rating for the vendor basedon the inconsistency that is unique for the second entity.

Accordingly, various aspects of the disclosure provided herein areeffective, efficient, reliable, and accurate in assisting variousentities with identifying, monitoring, managing, and/or the like riskassociated with integrating computer-implemented functionality providedby different vendor with computing systems of the entities. In addition,various aspects of the disclosure provided herein facilitate acentralized resource on assessment datasets provided through variousentities that are collected with respect to integratingcomputer-implemented functionality provided by vendors with computingsystems of the entities. This can be a significant advantage in that thecentralized resource can serve as a crowdsourcing data source that canallow for an entity to obtain a risk rating for a vendor that may bebetter representative of the risk of integrating computer-implementedfunctionality provided by the vendor with a computing system of theentity. Thus, various aspects of the present disclosure make majortechnical contributions to improving the computational efficiency,security, and reliability of various computing systems in usingcomputer-implemented functionality provided through various vendors.Further detail is now provided for various aspects of the disclosure.

Example Computing Environment

FIG. 1 depicts an example of a computing environment that can assistentities in identifying, monitoring, managing, and/or the like riskassociated with integrating computer-implemented functionality providedby different vendors with computing systems of the entities inaccordance with various aspects of the present disclosure. Accordingly,FIG. 1 depicts examples of hardware components of a vendor riskmanagement computing system 100 according to some aspects. The vendorrisk management computing system 100 is a specialized computing systemthat can be used for performing risk analysis related to the integrationof computer-implemented functionality provided through various vendorcomputing systems 195 to various entity computing systems 190 ofentities. In addition, the vendor risk management computing system 100can assist entities in identifying, monitoring, managing, and/or thelike risk associated with the entities integrating computer-implementedfunctionality with the various entity computing systems 190.

In various aspects, the vendor risk management computing system 100 maybe configured to host a vendor risk management service (e.g., softwareas a service) used by the different entities that is accessible over oneor more networks 175. Here, the vendor risk management computing system100 includes software components and/or hardware components forfacilitating the vendor risk management service. For example, the vendorrisk management computing system 100 may be hosting the vendor riskmanagement service as one or more microservices within the vendor riskmanagement computing system 100. The vendor risk management computingsystem 100 may provide access to the vendor risk management service overthe one or more networks 175 (e.g., the Internet) to the entity (e.g.,an entity computing system 190 associated with the entity) that hassubscribed to the service and is considered a “tenant” of the vendorrisk management computing system 100. Personnel of the entity may accessthe vendor risk management service over the one or more networks 175through one or more graphical user interfaces (e.g., webpages) 180 anduse the vendor risk management service. In addition to the graphicaluser interfaces 180, the vendor risk management computing system 100 mayinclude one or more interfaces (e.g., application programming interfaces(APIs)) and/or components for communicating and/or accessing the entitycomputing systems 190 and/or vendor computing systems 195 over thenetwork(s) 175.

Here, an entity computing system 190 for an entity may include computinghardware and/or software that may involve the integration of variouscomputer-implemented functionality provided through a vendor computingsystem 195. For example, the entity computing system 190 may integratecomputer-implemented functionality provided through the vendor computingsystem 195 by installing an API within the entity computing system 190that is used to communicate with a service provided through the vendorcomputing system 195. In another example, the entity computing system190 may integrate computer-implemented functionality provide through thevendor computing system 195 by utilizing data storage found within thevendor computing system 195.

Accordingly, the vendor computing system 195 is operated by a vendorother than the particular entity. Thus, the vendor computing system 195generally includes computing hardware and software that the particularentity has no control over or access to, but which provides thecomputer-implemented functionality that is integrated with the entitycomputing system 190 for the particular entity. Therefore, the entitycomputing system 190 can be exposed to risk introduced by integratingthe computer-implemented functionality provided through the vendorcomputing system 195.

For example, the entity computing system 190 may be exposed to risk ofexperiencing a data-related incident such as a data breach as a resultof integrating the computer-implemented functionality provided throughthe vendor computing system 195. Therefore, the entity may be interestedin using the vendor risk management service in performing a riskanalysis on integrating the computer-implemented functionality providedthrough the vendor computing system 195 with the entity computing system190. In addition, the entity may be interested in using the vendor riskmanagement service in monitoring and managing the risk involved withusing the computer-implemented functionality once thecomputer-implemented functionality has been integrated with the entitycomputing system 190.

In various aspects, the vendor risk management computing system 100includes a data repository 170 that can be used as a centralizedresource for assessment datasets gathered on computer-implementedfunctionality provided by different vendors. For example, the datarepository 170 may comprise one or more databases used in storing theassessment datasets. In addition, the data repository 170 may be used instoring other data utilized within the vendor risk management computingsystem such as questionnaires that may be completed by vendors on thedifferent computer-implemented functionality they may provide, as wellas questionnaires that may be completed by entities on differentcomputer-implemented functionality provided by vendors that the entitieshave (or plan to) integrate with entity computing systems 190.

In various aspects, the vendor risk management computing system 100 canreceive the assessment datasets from entities (e.g., entity computingsystems 190) and/or vendors (e.g., vendor computing system 195).Accordingly, the vendor risk management computing system 100 can use theassessment datasets in performing certain functionality associated withevaluating risk associated with the integration of computer-implementedfunctionality provided by the vendors with entity computing systems 195,as well as assist entities in identifying, monitoring, and managing therisk.

The vendor risk management computing system 100 may include computinghardware performing a number of different processes in providingfunctionality associated with the vendor risk management service.Specifically, in various aspects, the vendor risk management computingsystem 100 executes: (1) a modification module 110 to modify a riskrating for a vendor based on an inconsistency detected betweenassessment datasets; (2) a dynamic assessment module 120 to generate adynamic assessment completed by a vendor; (3) a tier module 130 to placevendors in tiers; (4) a risk mitigation module 140 to process vendorsfor various tiers; (5) a custom module 150 to generate a customized riskrating of a vendor for an entity; and/or (6) a custom modificationmodule 160 to modify a risk rating of a vendor for an entity. Furtherdetail is provided below regarding the configuration and functionalityof the modification module 110, the dynamic assessment module 120, thetier module 130, the risk mitigation module 140, the custom module 150,and the custom modification module 160 according to various aspects ofthe disclosure.

Modification Module

Turning now to FIG. 2, additional details are provided regarding amodification module 110 for modifying a risk rating for a vendor basedon an inconsistency detected between assessment datasets in accordancewith various aspects of the disclosure. For instance, the flow diagramshown in FIG. 2 may correspond to operations carried out, for example,by computing hardware found in the vendor risk management computingsystem 100 as described herein, as the computing hardware executes themodification module 110.

As previously noted, a vendor may receive risk assessments from variousentities that may be interested in integrating computer-implementedfunctionality provided by the vendor with entity computing systems 190for the entities. For example, the risk assessments may be in the formof a questionnaire that asks the vendor certain questions with respectto the computer-implemented functionality. The risk assessments aregenerally used in evaluating the risk of integrating thecomputer-implemented functionality with the entity computing systems190. For example, a questionnaire may ask the vendor to indicationwhether the vendor is using certain access controls such as two-factorauthentication for the computer-implemented functionality. Accordingly,the use or lack of use of the access controls can indicate to an entitya level (e.g., amount) of risk that is involved with integrating thecomputer-implemented functionality with an entity computing system 190.

Therefore, the vendor risk management computing system 100 may receiveand store completed risk assessments in the form of assessment datasetsfor the particular vendor from different entities, as well as differentsources within the particular vendor (e.g., from personnel in differentdepartments within the particular vendor, from different personnelwithin the same department within the particular vendor, from differentsubsidiaries of the particular vendor, etc.). In turn, the assessmentdatasets may be stored in a data repository 170 within the vendor riskmanagement computing system 100 as previously discussed. Therefore, thedata repository 170 can serve as a centralized resource of assessmentdatasets that may have been collected by a number of different entitiesto facilitate crowdsourcing of assessments on the vendor.

In various aspects, each of the assessment datasets may includerespective answers (e.g., values) to each question within the completedrisk assessment to form question/answer pairings. In some aspects, eachquestion/answer pairing may correspond to one or more attributesassociated with the particular computer-implemented functionality beingprovided by the vendor. Therefore, the assessment datasets collected onthe particular computer-implemented functionality can be compared toidentify whether the vendor has provided consistent information in theassessments. If not, then a risk rating for the vendor may be modifiedto reflect the inconsistency. For example, such a comparison may beperformed when a new completed assessment dataset is uploaded to thevendor risk management computing system 100 by an entity or the vendorfor the particular computer-implemented functionality.

Accordingly, the process 200 involves the modification module 110receiving the newly completed assessment dataset at Operation 210. AtOperation 215, the modification module 110 parses the newly completedassessment dataset into question/answering pairings. For example, thenewly completed assessment dataset may be based on a questionnaireprovided as an electronic form. The electronic form may have been viewedby personnel for the vendor on a computing device. The electronic formmay have presented the personnel with questions along with fields toprovide answers to the questions. Therefore, the modification module 110parses the questions and corresponding answers provided in theelectronic form into the question/answering pairings.

At Operation 220, the modification module 110 maps the question/answerpairings to attributes for the computer-implemented functionality. Insome aspects, the modification module 110 may access a data structurethat provides a mapping of the question/answering pairings to theattributes. For example, the attributes may be particular controls thatare to be implemented by the vendor for the computer-implementedfunctionality according to one or more standards and/or frameworks(e.g., FFIEC Cat Tool, PCI 3.2, FFIEC IT Mgmt Handbook, NIST SP 800-53,NIST Cybersecurity Framework, HIPPA Simplification, EU GDPR, SOC 1, SOC2, etc.). In some aspects, multiple questions within the assessment maymap to a same control associated with the one or more standards and/orframeworks.

Turning briefly to FIGS. 3A-3D, an example of a mapping 300 is providedof particular question/answering pairings to one or more standardsand/or frameworks (e.g., in addition to particular controls related toeach of the standards and frameworks). As may be understood from FIGS.3A-3D, the mapping 300 may correspond to one or more fields in a datastructure that indicates a particular question/answer pairing and amapping of each particular question/answering pairing to one or moreattributes (e.g., controls) as defined by various standards/frameworks.

Once the modification module 110 has mapped each of thequestion/answering pairings, the modification module 110 retrieves oneor more assessment datasets for the vendor that are related to thecomputer-implemented functionality at Operation 225. For example, themodification module 110 may query the one or more assessment datasetsfrom the data repository 170 used within the vendor risk managementcomputing system 100 for storing the assessment datasets. Here, themodification module 110 may retrieve one or more assessment datasetsthat are associated with a particular entity (e.g., the entity that hasprovided the completed assessment dataset) or multiple entities. Forexample, personnel for the entity that has provided the completedassessment dataset may also provide criteria along with the assessmentdataset for querying the one or more assessment datasets to use indetecting inconsistencies in the newly completed assessment dataset.

At Operation 230, the modification module 110 selects one of theretrieved assessment datasets. The modification module 110 then maps theattributes for the question/answering pairings to the attributes foundin the selected assessment dataset in Operation 235. Again, themodification module 110 may use some type of data structure thatprovides a mapping of the values provided in the selected assessmentdataset to attributes. Once mapped, the modification module 110determines whether any inconsistencies are found in thequestion/answering pairings for the newly completed assessment datasetby comparing the answers (e.g. values) provided for thequestion/answering pairings to the values provided for the matchingattributes found in the selected assessment dataset at Operation 240.

In various aspects, the modification module 110 detects inconsistenciesin question/answering pairings based on detecting conflicting valuesfrom the newly completed assessment dataset and the selected assessmentdataset that relate to the same particular attribute. For example, themodification module 110 may detect inconsistencies that include (1)opposing binary (e.g., yes/no) values for a particular attribute thatare specified in the newly completed assessment dataset and the selectassessment dataset; (2) inconsistent response values for a particularattribute between the newly completed assessment dataset and the selectassessment dataset (e.g., such as when the responses specified in thenewly completed assessment dataset and the select assessment dataset tothe same multiple-choice question are different); (3) inconsistentselection values for a particular attribute between the newly completedassessment dataset and the select assessment dataset (e.g., such as whenthe responses specified in the newly completed assessment dataset andthe select assessment dataset to the same question requesting theassessment taker to select all responses that apply are inconsistent);(4) inconsistent point values for a particular attribute between thenewly completed assessment dataset and the select assessment dataset(e.g., such as when a question corresponding to the particular attributecalls for a point value response); and/or (5) any other suitableinconsistency between the value of any attribute for the particularvendor that is specified in the newly completed assessment dataset andthe corresponding value for the attribute for the particular vendor thatis specified in the selected assessment dataset (e.g., different numericresponses, different text responses, responses in the selectedassessment dataset for which there is no corresponding response in thenewly completed assessment dataset as a result of a blank response,etc.). If the modification module 110 identifies any inconsistencies,then the modification module records the inconsistencies in Operation245. This can allow for personnel of the entity that has provided thenewly completed assessment dataset, personnel for another entity, and/orthe vendor to review the inconsistencies.

The modification module 110 then determines whether another assessmentdataset has been retrieved to compare with the newly completedassessment dataset in Operation 250. If so, then the modification module110 returns to Operation 230, selects the next assessment dataset, andperforms a comparison using the newly selected assessment dataset toidentify any inconsistencies between the newly completed assessmentdataset and the newly selected assessment dataset.

Once the modification module 110 has conducted a comparison of the newlycompleted assessment dataset to the retrieved assessment datasets, themodification module 110 modifies a risk rating for the vendor togenerate a modified risk rating based on any inconsistences that havebeen identified for the newly completed assessment dataset in Operation255. Accordingly, the risk rating can be in the form of a score, alevel, a grade, and/or the like. In some aspects, the modificationmodule 110 may modify a predefined risk rating (e.g., baseline riskrating) for the particular vendor in generating the modified riskrating. In other aspects, the modification module 110 may modify a priorgenerated risk rating for the particular vendor (e.g., which the systemmay have determined based on a single assessment, or any other suitablefactor).

In various aspects, the modification module 110 may use a rules-basedmodel in modifying the risk rating to generate the modified risk rating.Accordingly, the rules-based model may use a set of rules that defineshow to modify the risk rating based on various factors involved in theidentified inconsistencies. For example, the set of rules may providerules for modifying the risk rating based on the attribute or type ofattribute related to an inconsistency. The set of rules may providerules for modifying the risk rating based on the type of inconsistency.The set of rules may provide rules for modifying the risk rating basedon the level and/or severity of an inconsistency (e.g., the numericalvalues provided for a particular attribute being a certain amountapart). Different sets of rules may be defined for differentcomputer-implemented functionality, different types ofcomputer-implemented functionality, different vendors, different typesof vendors, different entity computing systems for which thecomputer-implemented functionality is to be integrated with, and/or thelike.

In various aspects, the modification module 110 modifies the risk ratingto generate the modified risk rating by, for example: (1) increasing therisk rating based on the one or more identified inconsistencies; (2)decreasing the risk rating based on the one or more identifiedinconsistencies; (3) applying one or more multipliers to the risk ratingbased on the one or more identified inconsistencies; and/or (4) applyingany other suitable modification to the risk rating for the particularvendor. In some aspects, the modification module 110 may modify anoverall risk rating (e.g., crowdsourcing risk rating) for the vendor inresponse to detecting the one or more inconsistencies. In other aspects,the modification module 110 may modify a risk rating associated withparticular computer-implemented functionality for the vendor and/or aparticular attribute of the functionality associated with an identifiedinconsistency. In particular aspects, the modification module 110 mayalso output the modified risk rating by displaying the modified riskrating on a graphical user interface, storing the modified risk rating,sending an electronic communication such as an email with the modifiedrisk rating to personnel of an entity and/or the vendor, and/or thelike. The modification module 110 may also include information on theinconsistencies that resulted in the modified risk rating in the output.

Dynamic Assessment Module

Turning now to FIG. 4, additional details are provided regarding adynamic assessment module 120 for generating a dynamic assessmentcompleted by a vendor (e.g., personnel thereof) in accordance withvarious aspects of the disclosure. For instance, the flow diagram shownin FIG. 4 may correspond to operations carried out, for example, bycomputing hardware found in the vendor risk management computing system100 or a vendor computing system 195 as described herein, as thecomputing hardware executes the dynamic assessment module 120.

For example, the dynamic assessment module 120 may provide theassessment in the form of one or more graphical user interfaces thatpresent questions to personnel of the vendor who then provide answers tothe questions via the graphical user interfaces. Here, the personnel mayhave accessed the vendor risk management service to complete theassessment and therefore, the dynamic assessment module 120 is executingon the vendor risk management computing system 100. In other instances,the dynamic assessment module 120 may have been sent to the vendor alongwith a particular assessment for the vendor to complete. Therefore, thepersonnel for the vendor may be executing the dynamic assessment module120 on a vendor computing system 195 associated with the vendor.Accordingly, as the personnel provides answers to the questionspresented for the assessment, the dynamic assessment module 120 detectsinconsistencies in the assessment in real time and in response, flagsone or more responses related to the inconsistencies for additionalaction.

Therefore, the process 400 involves the dynamic assessment module 120displaying a question to the personnel in Operation 410. The personnelthen enters an answer to the question. The answer to the question can beprovided in various formats depending on the types of response requestedfor the question. For example, the question may be the form of a yes/noquestion, multiple choice question, freeform question, and/or the like.In addition, the question may request additional information to beprovided (e.g., uploaded) along with the answer such as supportingdocumentation, documentation on certifications, documentation on pastdata-related incidents, and/or the like.

The dynamic assessment module 120 receives the answer to the question inOperation 415 and maps the question/answer pairing to one or moreattributes in Operation 420. For example, the dynamic assessment module120 may use some type of data structure that maps the question/answerpairing to one or more attributes related to computer-implementedfunctionality provided by the vendor. In addition, the dynamicassessment module 120 maps the one or more attributes to otherquestion/answering pairings found in the assessment that are related tothe one or more attributes in Operation 425.

In various aspects, the assessment can include multiple question/answerpairings that are related to any particular attribute. For example, theassessment may include a first question asking the personnel whether thevendor has implemented an encryption process for encrypting data that istransferred from an entity (e.g., transferred from an entity computingsystem 190) to the vendor (e.g., to a vendor computing system 195) to beused in a service provided by the vendor. The assessment may alsoinclude a second, different question asking the personnel whether thevendor has put any controls in place for ensuring secure data transfers.Therefore, both the first and second question/answering pairings touchon the same attribute as to whether the vendor encrypts data that istransfer from an entity to the vendor. Accordingly, the assessment isconfigured in this manner to require the personnel to provides multipleanswers related to the same attribute to ensure the personnel isproviding complete, consistent, and accurate answers (information)related to the attribute.

Therefore, in Operation 430, the dynamic assessment module 120 comparesthe answers for the question/answering pairings related to the one ormore attributes. The dynamic assessment module 120 may perform thisparticular operation using various functionality depending on the formof the answers. For example, the answers may be a freeform text format.Therefore, the dynamic assessment module 120 can use one or more naturallanguage processing techniques to compare the answers of thequestion/answer pairings.

For example, the dynamic assessment module 120 may compare a firstanswer string from a first question/answer pairing with a second answerstring from a second question/answer pairing by first utilizing thenatural language processing techniques to generate embedded vectorrepresentations (e.g., tokenized representations) of the first answerstring and the second answer string. The dynamic assessment module 120can then compare the embedded vector representations for the first andsecond answer strings to identify whether the first answer stringcontains an inconsistency.

In other instances, the answers may be in a structured format such asselected answers for multiple choice question, answer to a yes or noquestion, a numerical answer to a quantity question, and/or the like.Therefore, the dynamic assessment module 120 may compare the answers tothe question/answer pairings to determine whether the answers match inidentifying whether the answer to the question that was presented to thepersonnel contains an inconsistency.

At Operation 435, the dynamic assessment module 120 determines whetherthe answer to the question contains an inconsistency. If so, then thedynamic assessment module 120 determines whether to address theinconsistency in Operation 440. In various aspects, the dynamicassessment module 120 performs this particular operation by using adecision engine to determine a relevance of a particular identifiedinconsistency. In some aspects, the decision engine may entail arules-based model that uses a set of rules in determining whether theinconsistency should be addressed. For example, the set of rules mayinclude rules that apply to the level (degree) of inconsistency indetermining whether the inconsistency should be address. As a specificexample, the set of rules may include a rule that if the inconsistencyinvolves numerically different answers that satisfy a threshold, thenthe inconsistency should be addressed. In addition, the set of rules mayinclude rules that apply to certain attributes and/or certain types ofattributes.

If the dynamic assessment module 120 determines the inconsistency shouldbe addressed, then the dynamic assessment module 120 addresses theinconsistency in Operation 445. Accordingly, the dynamic assessmentmodule 120 may determine one or more actions to take to address theinconsistency based on, for example: (1) a number of attributes that aremapped to the particular question/answer pairing; (2) a type of each ofthe one or more attributes that are mapped to the particularquestion/answer pairing; (3) one or more past responses by users to thequestion/answering paring being flagged or similar question/answeringpairings being flagged (e.g., one or more past responses to aquestion/answer pairing with similar mapped attributes as the particularquestion/answer pairing); and/or (4) any other suitable factors.Accordingly, the dynamic assessment module may identify one or moreactions such as, for example: (1) prompting the personnel to providedsupporting information and/or documentation to address theinconsistency; (2) provide the personnel with a follow up questionrelated to the inconsistency; (3) request the personnel to readdress theparticular question/answer pairing involved in the inconsistency; and/or(4) take any other suitable action related to the inconsistency (e.g.,provide an indication that the inconsistency is acceptable, ignore theflagged response, etc.).

In some aspects, the dynamic assessment module 120 may use amachine-learning model to determine the one or more actions to take toaddress the inconsistency. For example, the machine-learning model maybe a trained model such as a multi-label classification model thatprocesses the particular question/answer pairing and/or the relatedquestion/answer pairings and generates a data representation having aset of predictions (e.g., values) in which each prediction is associatedwith a particular action to take to address the inconsistency. Themachine-learning model may be trained, for example, using training dataderived from users' responses to follow up requests previously providedfor inconsistencies detected in one or more assessment question/answerpairings such as: (1) whether the user ignored the flagged question orrelated follow up action; (2) a particular type of action the user tookin response to the flagged question and/or related follow up action(e.g., providing support for the response, implementing a remediatingaction, modifying one or more attributes, etc.); (3) one or moreframeworks and/or standards that are mapped to the flagged question;and/or (4) any other suitable information.

At this point, the dynamic assessment module 120 determines whether theassessment includes another question to ask the personnel in Operation450. If so, then the dynamic assessment module 120 returns to Operation410, selects the next question, and performs the operations justdiscussed for the newly selected question. Once the dynamic assessmentmodule 120 has processed all of the questions for the assessment, thedynamic assessment module 120 records the assessment in Operation 455.For example, the dynamic assessment module 120 may record the assessmentby submitting the assessment as a newly completed assessment dataset tothe vendor risk management computing system 100.

Tier Module

Turning now to FIG. 5, additional details are provided regarding a tiermodule 130 for placing vendors in tiers in accordance with variousaspects of the disclosure. For instance, the flow diagram shown in FIG.5 may correspond to operations carried out, for example, by computinghardware found in the vendor risk management computing system 100 asdescribed herein, as the computing hardware executes the tier module130.

As previously noted, an entity may be using the vendor risk managementservice in evaluating, identifying, monitoring, and managing riskassociated with the entity integrating computer-implementedfunctionality provided by a variety of vendors. In some instances, theentity may be utilizing computer-implemented functionality provided by alarge number of vendors. Therefore, the entity may wish to utilize thevendor risk management service in a manner that can allow personnel forthe entity to quickly assess which vendors pose risks that the entityshould be concerned with and/or should address.

Accordingly, the vendor risk management computing system 100 in variousaspects is configured to place the vendors associated with a particularentity into risk tiers that can allow personnel for the entity to quickidentify groups of vendors that associated with a particular level ofrisk (e.g., risk rating). For example, the personnel for the entity maybe viewing information on various vendors provided through the vendorrisk management service. Here, the personal may be viewing a graphicaluser interface through the vendor risk management service that displaysa listing of vendors with their respective risk ratings.

However, the personnel may be interested in identifying those vendorsthat the entity may be using for various computer-implementedfunctionality and/or may be planning to use for variouscomputer-implemented functionality that have been identified as having acertain level of risk. Therefore, the personnel may select an optionprovided on the graphical user interface to place the interested vendorsfor the personnel into risk tiers so that the personnel can quicklyidentify those vendors associated with the certain level of risk. As aresult of selecting the option, the tier module 130 may be executed toplace the vendors into the appropriate tiers.

Therefore, the process 500 involves the tier module 130 receiving a listof vendors in Operation 510. For example, the personnel may haveprovided criteria for identifying the vendors of interest to have placedin the different tiers. As a specific example, the personnel may haveidentified all of the vendors that the entity is actively using toprovide computer-implemented functionality that is integrated intoentity computing systems 190 for the entity.

In Operation 515, the tier module 130 selects one of the vendors fromthe list of vendors. The tier module 130 then retrieves one or more riskratings that have been generated and stored for the vendor in Operation520. For example, the tier module 130 may retrieve: a risk rating forthe vendor that has been specifically developed for the particularentity; may in addition, or instead, retrieve a risk rating for thevendor that has been developed for other entities (e.g., a baseline riskrating and/or a crowdsourcing risk rating); may in addition, or instead,retrieve a risk rating for the vendor that has been specificallydeveloped for particular computer-implemented functionality; and/or thelike.

The graphical user interface may allow the personnel to provide criteriaused by the tier module 130 in retrieving the one or more risk ratingsfor the vendor. Accordingly, such functionality can allow for thepersonnel to fine tune what risk ratings are used in placing the vendorsinto the different risk tiers.

Once the tier module 130 has retrieved the one or more risk ratings, thetier module 130 places the vendor into a particular risk tier based onthe risk rating(s) in Operation 525. For example, the risk tiers mayinclude “Low,” “Medium,” “High,” and “Very High” and the risk ratingsmay be provided as scores range from 1-100. The tier module 130 maygenerate a composite risk score for the risk scores by, for example,averaging the risk scores, taking the median of the risk scores, and/orthe like. The tier module 130 may then place the vendor into one of therisk tiers based on the vendor having a particular composite risk score.For example, the tier module 130 may place the vendor with a compositerisk score ranging from 1 to 25 into the “Low” tier, a composite riskscore ranging from 26-50 into the “Medium” tier, a composite risk scoreranging from 51-75 into the “High” tier, or a composite risk scoreranging from 76-100 into the “Very High” tier.

The tier module 130 then determines whether another vendor needs to beplaced in one of the risk tiers in Operation 530. If so, then the tiermodule 130 returns to Operation 515, selects the next vendor, and placethe next vendor into the appropriate risk tier as just discussed. Oncethe tier module 130 has placed all of the vendors into an appropriaterisk tier, the tier module 130 may perform one or more actions relatedto the different risk tiers in Operation 535. For example, the tiermodule 130 may display the different risk tiers and their associatedvendors to the personnel. In another example, the tier module 130 maysend an electronic communication such as an email, text message, and/orthe like to the personnel and/or some other personnel of the entityproviding the vendors that have been placed in the different risk tiersor a particular risk tier of interest.

The tiering of vendors can be advantageous to the personnel of theentity, such as a privacy officer, because it may allow the personnel toquickly determine a general risk level associated with a group ofvendors. This can be especially advantageous when the group of vendorsincludes a large number of vendors (e.g., 1000 or more). The personnelmay then use the risk tiering to determine whether, and how, to furtherassess the risk associated with certain vendors. For example, thepersonnel may determine to take no action in regard to vendors that havebeen placed in the “Low” tier, have a third party conduct riskassessments for vendors placed in the “Medium” tier, and have vendorsthat have been placed in the “High” or “Very High” tiers complete riskimpact assessments.

Risk Mitigation Module

Turning now to FIG. 6, additional details are provided regarding a riskmitigation module 140 for processing vendors for various risk tiers inaccordance with various aspects of the disclosure. For instance, theflow diagram shown in FIG. 6 may correspond to operations carried out,for example, by computing hardware found in the vendor risk managementcomputing system 100 as described herein, as the computing hardwareexecutes the risk mitigation module 140.

An entity may employ the vendor risk management service to performcertain actions for vendors that have been placed in a particular risktier. For example, the entity may wish to have risk impact assessmentsautomatically generated and sent to vendors that have been placed in the“Very High” tier. In another example, the entity may wish to haveactions performed in instances where a vendor's risk rating changes andcauses the vendor to be moved from a first risk tier to a second,different risk tier.

As a specific example, an entity may currently have computer-implementedfunctionality provided by a first vendor integrated with an entitycomputing system 190 of the entity. The first vendor's risk rating maycurrently place the vendor into the “Medium” tier for the entity.However, the first vendor may implement a change that affects anattribute for the first vendor that causes the first vendor's riskrating to increase with respect to the entity's integration of thecomputer-implemented functionality. As a result, the increased riskrating may move the first vendor from the “Medium” tier to the “VeryHigh” tier. Here, the entity may wish to have one or more actionsperformed as a result of the first vendor being moved from the “Medium”tier to the “Ver High” tier.

For example, the entity may wish to have one or more electronicnotifications sent to personnel of the entity to notify them of thechange in risk the entity is now experiencing in integratingcomputer-implemented functionality. In other instances, the entity maywish to have more direct actions taken in addition, or instead, tomitigate an increase in risk due to the first vendor moving from the“Medium” tier to the “Very High” tier such as, for example, having theintegration of computer-implemented functionality with the entitycomputing system 190 (temporarily) disabled until the increase in riskcan be addressed by the entity and/or the first vendor.

In various aspects, the vendor risk management computing system 100 mayprovide entities with functionality to define actions that are to beperformed for vendors that have been placed into certain risk tiers. Forexample, the vendor risk management computing system 100 may provide oneor more graphical user interfaces through the vendor risk managementservice that allows for personnel of entities to define actions to beperformed for vendors placed into certain risk tiers. In addition, theone or more graphical user interfaces may allow for the personnel toprovide information needed by the vendor risk management computingsystem 100 to perform the actions such as, for example, email addressesof personnel to receive electronic communications, credentials needed toaccess entity computing systems 190, and/or the like.

Accordingly, the risk mitigation module 140 may be invoked by personnelof an entity to have one or more actions performed for vendors placedinto a certain risk tier. For example, the personnel may have a group ofvendors placed into the different risk tiers as previously discussed.The personnel may then decide to have one or more actions performed forvendors placed in a particular risk tier such as the “Very High” tier.In other instances, the vendor risk management computing system 100 mayautomatically invoke the risk mitigation module 140. For example,personnel of an entity may set up to have the vendor risk managementcomputing system 100 invoke the risk mitigation module 140 for aparticular risk tier periodically and/or when a vendor's risk rating haschanged and moves the vendor into a particular risk tier. In thoseinstances, the vendor risk management computing system 100 may invokethe risk mitigation module 140 for the particular vendor and notnecessarily for every vendor that has placed into the particular risktier.

The process 600 involves the risk mitigation module 140 selecting theparticular risk tier in Operation 610. Here, the risk mitigation module140 may select the particular risk tier by querying the vendors thathave been placed in the particular risk tier for the entity. Forexample, personnel for the entity may have previously had a group ofvendors placed into the different risk tiers as previously discussed andthe tiering of the group of vendors may have been stored in a datarepository 170 found in the vendor risk management computing system 100or other computing system such as an entity computing system 190 for theentity. Therefore, the risk mitigation module 140 may query the vendorsthat have been placed in the particular risk tier from the datarepository 170.

In some aspects, the risk mitigation module 140 may use criteria inquerying the vendors for the particular risk tier. For example, the riskmitigation module 140 may use criteria that indicates to only querythose vendors that have been newly placed in the particular risk tier,which have risk rating that has recently changed (e.g., increased),and/or the like. Personnel for the entity may define the criteria via agraphical user interface provided through the vendor risk managementservice. Accordingly, the criteria can facilitate carrying out actionsfor certain vendors found in the particular risk tier withoutnecessarily having to carry out the actions for every vendor found inthe particular risk tier.

In Operation 615, the risk mitigation module 140 identifies the one ormore actions that are to be performed for the vendors. As previouslydiscussed, personnel of the entity may define the one or more actionsthat are to be performed for vendors that are placed in the particularrisk tier. For example, the personnel may define that an email is to besent to certain risk management personnel of the entity that identifiesthe vendors placed in the particular risk tier. In addition, thepersonnel may define that an assessment is to be sent to each vendorthat has been placed in the particular risk tier. Again, the definedactions to be performed may be stored in a data repository 170 found inthe vendor risk management computing system 100 or other computingsystem such as an entity computing system 190 for the entity. Therefore,the risk mitigation module 140 may query the one or more actions fromthe data repository 170.

In Operation 620, the risk mitigation module 140 selects a vendor forthe particular risk tier. The risk mitigation module 140 then performsthe defined action(s) for the selected vendor in Operation 625. The riskmitigation module 140 then determines whether another vendor has beenqueried for the particular risk tier in Operation 630. If so, then therisk mitigation module 140 selects the next vendor and performs the oneor more actions for the vendor accordingly.

Once the risk mitigation module 140 has processed all of the vendors forthe particular risk tier, the risk mitigation module 140 determineswhether one or more actions are to be carried out for vendors found inanother risk tier in Operation 635. For example, the entity may wish tohave a first set of actions carried out for vendors placed in the “High”tier and a second set of actions carried out for vendors placed in the“Very High” tier. If this is the case, then the risk mitigation module140 returns to Operation 610 to select the next risk tier. The riskmitigation module 140 then performs the operations just discussed forthe next risk tier. Once the risk mitigation module 140 has processedall the necessary risk tiers, the risk mitigation module 140 exits inOperation 640.

Custom Module

Turning now to FIG. 7, additional details are provided regarding custommodule 150 for generating a customized risk rating of a vendor for anentity in accordance with various aspects of the disclosure. Forinstance, the flow diagram shown in FIG. 7 may correspond to operationscarried out, for example, by computing hardware found in the vendor riskmanagement computing system 100 as described herein, as the computinghardware executes the custom module 150.

As previously noted, an advantage provided in various aspects is thatthe vendor risk management service can be utilized to collectinformation (e.g., assessment datasets) on various vendors through amultitude of sources (e.g., different entities) and generate a riskrating for the individual vendors that may be more representative of therisk involved with integrating computer-implemented functionality withan entity computing system 190 than had a particular entity carried outthe risk analysis independently. That is to say, the vendor riskmanagement computing system 100 can be utilized in various aspects tocrowdsource respective risk ratings for a plurality of different vendors(e.g., a large number of vendors). For example, over time, a largenumber of entities may each submit a respective assessment dataset for aparticular vendor. The vendor risk management computing system 100 maythen use each of these assessment datasets to revise (e.g., modify) therespective risk rating for the particular vendor.

As a specific example, the vendor risk management computing system 100in various aspects may generate and maintain a respective baseline riskrating for each of a plurality of vendors based on, for example, anysuitable combination of factors for the vendors. The vendor riskmanagement computing system 100 may then modify the baseline risk ratingfor a vendor based on crowdsourced assessment datasets to generate acrowdsourced risk rating for the vendor. In generating the crowdsourcedrisk rating for a particular vendor, the vendor risk managementcomputing system 100 may, for example, average the respective ratings(e.g., scores) associated with each assessment dataset and use thataverage (e.g., in conjunction with the baseline risk rating) indetermining the crowdsourced risk rating for the vendor. In still otheraspects, the vendor risk management computing system 100 may use thisaveraged rating as the vendor's baseline risk score. It should beunderstood that the crowdsourced risk rating for a particular vendor maybe calculated using any suitable method (e.g., other than averaging).Accordingly, this can allow for a risk rating to be developed andmaintained for the vendor that may be more comprehensive of the riskinvolved with using computer-implemented functionality provided by theparticular vendor.

However, with that said, any one entity's integration ofcomputer-implemented functionality provided by a vendor may havespecific risk associated with the integration that may be different thanthe risk experienced by other entities. Therefore, an entity may wish togenerate a customized risk rating for a particular vendor that may bemore representative of the risk involved with the entity integratingcertain computer-implemented functionality with an entity computingsystem 190 for the entity.

In various aspects, the vendor risk management computing system 100provides a questionnaire that personnel of an entity can completed for aparticular vendor that provides information on the entity's utilizationand/or planned utilization of computer-implemented functionalityprovided by the vendor. For example, the vendor risk managementcomputing system 100 may provide the questionnaire through one or moregraphical user interfaces that can be accessed by the personnel of theentity through the vendor risk management service. The questionnaire mayinclude, for example, one or more of the questions 800 listed in FIG. 8.For instance, the questionnaire may ask the personnel whether the vendorperforms a critical business function for the entity, whether the vendorconnects to the entity's IT infrastructure, etc.

Therefore, the process 700 involves the custom module 150 receiving theanswers to the questions (e.g., in a suitable dataset) in Operation 710.In Operation 715, the custom module 150 retrieves a risk rating for thevendor. For example, the custom module 150 may retrieve the baselinerisk rating and/or crowdsourced risk rating for the vendor. The custommodule 150 then uses the dataset of answers to modify the retrieved riskrating to generate a customized risk rating for the vendor in Operation720. For example, the custom module 150 may generate the customized riskrating by averaging the retrieved risk rating for the vendor with a riskrating computed from the dataset of answers. Here, the custom module 150may assign a numerical risk rating to a vendor based on the dataset ofanswers by assigning a particular value to each possible answer to eachparticular question within the questionnaire, and then totaling all ofthe respective values that correspond to the answers to those questionsto determine the risk rating.

In particular aspects, the vendor risk management computing system 100displays (e.g., at least initially display) a risk rating (e.g., abaseline risk rating and/or crowdsourced risk rating) for the vendor(e.g., Vendor X) to each entity of a set of entities accessing thevendor risk management service to view risk data for the particularvendor. In response to a first entity from the set of entitiessubmitting a questionnaire for Vendor X, the custom module 150 maygenerate a first customized risk rating for Vendor X based on thecompleted questionnaire from the first entity. The custom module 150may, for example, generate the first customized risk rating for Vendor Xby averaging a baseline risk rating and/or crowdsourced risk rating witha risk rating computed from the completed questionnaire from the firstentity. The vendor risk management computing system 100 may then displaythe first customized risk rating for Vendor X to the first entity, butcontinue to display the baseline risk rating and/or crowdsourced riskrating to the remaining entities in the set of entities. In variousaspects, the vendor risk management computing system 100 maintains thecustomized risk rating for use only by the entity. In other aspects, thecustomized risk rating may be available for use by other entities inplace of a previous version of a risk rating for the vendor.

Custom Modification Module

Turning now to FIG. 9, additional details are provided regarding custommodification module 160 for modifying a risk rating of a vendor for anentity in accordance with various aspects of the disclosure. Forinstance, the flow diagram shown in FIG. 9 may correspond to operationscarried out, for example, by computing hardware found in the vendor riskmanagement computing system 100 as described herein, as the computinghardware executes the custom modification module 160.

In various aspects, the vendor risk management computing system 100allows an entity to define how a risk rating (e.g., baseline riskrating, crowdsourced risk rating, and/or customized risk rating) for aparticular vendor is to be modified for use by the entity. For instance,the entity may specify to modify the risk rating for each of theentity's vendors in accordance with one or more third-party risk ratings(e.g., the Vendor's ISS Cyber Risk Score, or other third-party riskrating such as those that may assess risks related to the vendor's laboror environmental practices).

The vendor risk management computing system 100 may provide one or moregraphical user interfaces that are accessible by personnel for entitiesthrough the vendor risk management service to specify how certain riskratings are to be modified. The personnel may use the one or moregraphical user interfaces in defining certain conditions that are to besatisfied to have a particular vendor's risk rating modified. Inaddition, the personnel may define the manner in which a vendor's riskrating is be modified if the conditions are met. Therefore, oncepersonnel for a particular entity has defined the conditions and mannerfor modifying vendor risk ratings for the entity, the vendor riskmanagement computing system 100 may invoke the custom modificationmodule 160 to modify the risk ratings accordingly.

The process 900 involves the custom modification module 160 receivingthe vendors for the entity in Operation 910. In Operation 915, thecustom modification module 160 selects one of the vendors. The custommodification module 160 then determines whether the risk rating for theselected vendor is to be modified in Operation 920. For example, thepersonnel for the entity may have defined a condition that for anyparticular vendor of the entity, if the vendor's respective ISS CyberRisk Score falls within a particular range, such as 300 to 500, thevendor's risk rating is to be modified in a certain manner such as raiseor lower the vendor's risk rating by a certain amount and/or percentage.Therefore, if the custom modification module 160 determines thecondition is satisfied for the selected vendor, then the custommodification module 160 retrieves the vendor's risk rating in Operation925 and modifies the risk rating accordingly in Operation 930.

The custom modification module 160 determines whether another vendor isto be processed for the entity in Operation 935. If so, then the custommodification module 160 returns to Operation 915, selects the nextvendor, and processes the vendor to modify a risk rating for the vendoraccordingly. Although the custom modification module 160 is described inthe context of allowing a particular entity to modify a risk rating forthe entity's purposes, the custom modification module 160 may be used insome aspects to modify a risk rating, such as a baseline risk ratingand/or crowdsourcing risk rating, for one or more vendors that isavailable for use to a plurality of different entities.

In particular aspects, once the custom modification module 160 hasprocessed all of the vendors for the entity, the custom modificationmodule 160 performs one or more actions that may be associated with themodified risk ratings in Operation 940. For example, the custommodification module 160 may invoke the tier module 130 and/or riskmitigation module 140 as previously discussed. In another example, thecustom modification module 160 may cause a modified risk rating to bedisplayed for a particular vendor adjacent one or more other riskratings associated with the vendor and/or any other relevantrisk-related information for the vendor.

For example, FIG. 10 provides an example of a graphical user interface1000 that may be provided through the vendor risk management servicethat displays various risk information for a particular vendor (e.g.,Zentoso 1010). Here, the graphical user interface 1000 displays agraphic 1015 indicating that the computer-implemented functionalityprovided by the vendor is considered a low risk to the entity. Thegraphic 1015 can be based on placing the vendor in a particular tier(e.g. “Low” tier) for the entity. The vendor may have been placed in theparticular tier based on one or more of a baseline risk rating,crowdsourcing risk rating, customized risk rating, or modifiedcustomized risk rating. In addition, the graphical user interface 1000provides a third party risk rating, in this instance the vendor's ISSCyber Risk Score 1020. Accordingly, the graphical user interface 1000can be useful in helping personnel for the entity assess the risksassociated with integrating computer-implemented functionality providedby the vendor into an entity computing system 190 for the entity ingreater detail.

Example Technical Platforms

Aspects of the present disclosure may be implemented in various ways,including as computer program products that comprise articles ofmanufacture. Such computer program products may include one or moresoftware components including, for example, software objects, methods,data structures, and/or the like. A software component may be coded inany of a variety of programming languages. An illustrative programminglanguage may be a lower-level programming language such as an assemblylanguage associated with a particular hardware architecture and/oroperating system platform. A software component comprising assemblylanguage instructions may require conversion into executable machinecode by an assembler prior to execution by the hardware architectureand/or platform. Another example programming language may be ahigher-level programming language that may be portable across multiplearchitectures. A software component comprising higher-level programminglanguage instructions may require conversion to an intermediaterepresentation by an interpreter or a compiler prior to execution.

Other examples of programming languages include, but are not limited to,a macro language, a shell or command language, a job control language, ascript language, a database query, or search language, and/or a reportwriting language. In one or more example aspects, a software componentcomprising instructions in one of the foregoing examples of programminglanguages may be executed directly by an operating system or othersoftware component without having to be first transformed into anotherform. A software component may be stored as a file or other data storageconstruct. Software components of a similar type or functionally relatedmay be stored together such as, for example, in a particular directory,folder, or library. Software components may be static (e.g.,pre-established, or fixed) or dynamic (e.g., created or modified at thetime of execution).

A computer program product may include a non-transitorycomputer-readable storage medium storing applications, programs, programmodules, scripts, source code, program code, object code, byte code,compiled code, interpreted code, machine code, executable instructions,and/or the like (also referred to herein as executable instructions,instructions for execution, computer program products, program code,and/or similar terms used herein interchangeably). Such non-transitorycomputer-readable storage media include all computer-readable media(including volatile and non-volatile media).

According to various aspects, a non-volatile computer-readable storagemedium may include a floppy disk, flexible disk, hard disk, solid-statestorage (SSS) (e.g., a solid-state drive (SSD), solid state card (SSC),solid state module (SSM)), enterprise flash drive, magnetic tape, or anyother non-transitory magnetic medium, and/or the like. A non-volatilecomputer-readable storage medium may also include a punch card, papertape, optical mark sheet (or any other physical medium with patterns ofholes or other optically recognizable indicia), compact disc read onlymemory (CD-ROM), compact disc-rewritable (CD-RW), digital versatile disc(DVD), Blu-ray disc (BD), any other non-transitory optical medium,and/or the like. Such a non-volatile computer-readable storage mediummay also include read-only memory (ROM), programmable read-only memory(PROM), erasable programmable read-only memory (EPROM), electricallyerasable programmable read-only memory (EEPROM), flash memory (e.g.,Serial, NAND, NOR, and/or the like), multimedia memory cards (MMC),secure digital (SD) memory cards, SmartMedia cards, CompactFlash (CF)cards, Memory Sticks, and/or the like. Further, a non-volatilecomputer-readable storage medium may also include conductive-bridgingrandom access memory (CBRAM), phase-change random access memory (PRAM),ferroelectric random-access memory (FeRAM), non-volatile random-accessmemory (NVRAM), magnetoresistive random-access memory (MRAM), resistiverandom-access memory (RRAM), Silicon-Oxide-Nitride-Oxide-Silicon memory(SONOS), floating junction gate random access memory (FJG RAM),Millipede memory, racetrack memory, and/or the like.

According to various aspects, a volatile computer-readable storagemedium may include random access memory (RAM), dynamic random accessmemory (DRAM), static random access memory (SRAM), fast page modedynamic random access memory (FPM DRAM), extended data-out dynamicrandom access memory (EDO DRAM), synchronous dynamic random accessmemory (SDRAM), double data rate synchronous dynamic random accessmemory (DDR SDRAM), double data rate type two synchronous dynamic randomaccess memory (DDR2 SDRAM), double data rate type three synchronousdynamic random access memory (DDR3 SDRAM), Rambus dynamic random accessmemory (RDRAM), Twin Transistor RAM (TTRAM), Thyristor RAM (T-RAM),Zero-capacitor (Z-RAM), Rambus in-line memory module (RIMM), dualin-line memory module (DIMM), single in-line memory module (SIMM), videorandom access memory (VRAM), cache memory (including various levels),flash memory, register memory, and/or the like. It will be appreciatedthat where various aspects are described to use a computer-readablestorage medium, other types of computer-readable storage media may besubstituted for or used in addition to the computer-readable storagemedia described above.

Various aspects of the present disclosure may also be implemented asmethods, apparatuses, systems, computing devices, computing entities,and/or the like. As such, various aspects of the present disclosure maytake the form of a data structure, apparatus, system, computing device,computing entity, and/or the like executing instructions stored on acomputer-readable storage medium to perform certain steps or operations.Thus, various aspects of the present disclosure also may take the formof entirely hardware, entirely computer program product, and/or acombination of computer program product and hardware performing certainsteps or operations.

Various aspects of the present disclosure are described below withreference to block diagrams and flowchart illustrations. Thus, eachblock of the block diagrams and flowchart illustrations may beimplemented in the form of a computer program product, an entirelyhardware aspect, a combination of hardware and computer programproducts, and/or apparatuses, systems, computing devices, computingentities, and/or the like carrying out instructions, operations, steps,and similar words used interchangeably (e.g., the executableinstructions, instructions for execution, program code, and/or the like)on a computer-readable storage medium for execution. For example,retrieval, loading, and execution of code may be performed sequentiallysuch that one instruction is retrieved, loaded, and executed at a time.In some examples of aspects, retrieval, loading, and/or execution may beperformed in parallel such that multiple instructions are retrieved,loaded, and/or executed together. Thus, such aspects can producespecially configured machines performing the steps or operationsspecified in the block diagrams and flowchart illustrations.Accordingly, the block diagrams and flowchart illustrations supportvarious combinations of aspects for performing the specifiedinstructions, operations, or steps.

Example System Architecture

FIG. 11 is a block diagram of a system architecture 1100 that can beused in providing the vendor risk management service and correspondingfunctionality according to various aspects of the disclosure as detailedherein. Components of the system architecture 1100 are configuredaccording to various aspects to provide an entity with the vendor riskmanagement service that facilitates and assists the entity insuccessfully recognizing, managing, and mitigating risks associated withintegrating entity computing systems 190 of the entity withcomputer-implemented functionality (e.g., services, softwareapplications, computing system capacity, and/or the like) providedthrough vendor computing systems 195. As may be understood from FIG. 11,the system architecture 1100 in various aspects may include a vendorrisk management computing system 100 that comprises one or moremanagement servers 1110 and one or more data repositories 170.

The one or more management servers 1110 are used in supporting thevendor risk management service (e.g., an instance thereof) for an entitywithin the vendor risk management computing system 100. The one or moredata repositories 170 may include, for example, a data repository forstoring assessment datasets received for various vendors. In additionthe one or more data repositories 170 may include a data repository forstoring specific data for various entities such as customized riskratings on vendors for the various entities, as well as conditions andmanners defined by the various entities and used in modifying riskratings for vendors as described herein. Further, the managementserver(s) 1110 may execute a modification module 110, a dynamicassessment module 120, a tier module 130, a risk mitigation module 140,a custom module 150, and/or a custom modification module 160 asdescribed herein. Further, in some aspects, the management server(s)1110 may provide one or more graphical user interfaces through whichpersonnel of the entities can access the vendor risk management service.

The one or more management servers 1110 may be in communication with oneor more entity computing systems 190 for the entities, as well as one ormore vendor computing systems 195 for the vendors, over one or morenetworks 175. Accordingly, the management server(s) 1110 may be incommunication over the network(s) 140 with components residing on theentity computing systems 190 and/or vendor computing systems 195 tofacilitate various functionality as described herein. To do so, themanagement server(s) 1110 may interface with the entity computingsystems 190 and/or vendor computing systems 195 via one or more suitableapplication programming interfaces (APIs), direct connections, and/orthe like. Although the management server(s) 110 and data repository(ies)170 are shown as separate components, it should be understood thataccording to other aspects, these components 1110, 170 may comprise asingle server and/or repository, a plurality of servers and/orrepositories, one or more cloud-based servers and/or repositories, orany other suitable configuration.

Example Computing Hardware

FIG. 12 illustrates a diagrammatic representation of a computinghardware device 1200 that may be used in accordance with various aspectsof the disclosure. For example, the hardware device 1200 may becomputing hardware such as a management server 1110 as described in FIG.11. According to particular aspects, the hardware device 1200 may beconnected (e.g., networked) to one or more other computing entities,storage devices, and/or the like via one or more networks such as, forexample, a LAN, an intranet, an extranet, and/or the Internet. As notedabove, the hardware device 1200 may operate in the capacity of a serverand/or a client device in a client-server network environment, or as apeer computing device in a peer-to-peer (or distributed) networkenvironment. According to various aspects, the hardware device 1200 maybe a personal computer (PC), a tablet PC, a set-top box (STB), aPersonal Digital Assistant (PDA), a mobile device (smartphone), a webappliance, a server, a network router, a switch or bridge, or any otherdevice capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that device. Further,while only a single hardware device 1200 is illustrated, the term“hardware device,” “computing hardware,” and/or the like shall also betaken to include any collection of computing entities that individuallyor jointly execute a set (or multiple sets) of instructions to performany one or more of the methodologies discussed herein.

A hardware device 1200 includes a processor 1202, a main memory 1204(e.g., read-only memory (ROM), flash memory, dynamic random-accessmemory (DRAM) such as synchronous DRAM (SDRAM), Rambus DRAM (RDRAM),and/or the like), a static memory 1206 (e.g., flash memory, staticrandom-access memory (SRAM), and/or the like), and a data storage device1218, that communicate with each other via a bus 1232.

The processor 1202 may represent one or more general-purpose processingdevices such as a microprocessor, a central processing unit, and/or thelike. According to some aspects, the processor 1202 may be a complexinstruction set computing (CISC) microprocessor, reduced instruction setcomputing (RISC) microprocessor, very long instruction word (VLIW)microprocessor, a processor implementing other instruction sets,processors implementing a combination of instruction sets, and/or thelike. According to some aspects, the processor 1202 may be one or morespecial-purpose processing devices such as an application specificintegrated circuit (ASIC), a field programmable gate array (FPGA), adigital signal processor (DSP), network processor, and/or the like. Theprocessor 1202 can execute processing logic 1226 for performing variousoperations and/or steps described herein.

The hardware device 1200 may further include a network interface device1208, as well as a video display unit 1210 (e.g., a liquid crystaldisplay (LCD), a cathode ray tube (CRT), and/or the like), analphanumeric input device 1212 (e.g., a keyboard), a cursor controldevice 1214 (e.g., a mouse, a trackpad), and/or a signal generationdevice 1216 (e.g., a speaker). The hardware device 1200 may furtherinclude a data storage device 1218. The data storage device 1218 mayinclude a non-transitory computer-readable storage medium 1230 (alsoknown as a non-transitory computer-readable storage medium or anon-transitory computer-readable medium) on which is stored one or moremodules 1222 (e.g., sets of software instructions) embodying any one ormore of the methodologies or functions described herein. For instance,according to particular aspects, the modules 1222 may include amodification module 110, a dynamic assessment module 120, a tier module130, a risk mitigation module 140, a custom module 150, and/or a custommodification module 160 as described herein. The one or more modules1222 may also reside, completely or at least partially, within mainmemory 1204 and/or within the processor 1202 during execution thereof bythe hardware device 1200—main memory 1204 and processor 1202 alsoconstituting computer-accessible storage media. The one or more modules1222 may further be transmitted or received over a network 175 via thenetwork interface device 1208.

While the computer-readable storage medium 1230 is shown to be a singlemedium, the terms “computer-readable storage medium” and“machine-accessible storage medium” should be understood to include asingle medium or multiple media (e.g., a centralized or distributeddatabase, and/or associated caches and servers) that store the one ormore sets of instructions. The term “computer-readable storage medium”should also be understood to include any medium that is capable ofstoring, encoding, and/or carrying a set of instructions for executionby the hardware device 1200 and that causes the hardware device 1200 toperform any one or more of the methodologies of the present disclosure.The term “computer-readable storage medium” should accordingly beunderstood to include, but not be limited to, solid-state memories,optical and magnetic media, and/or the like.

System Operation

The logical operations described herein may be implemented (1) as asequence of computer implemented acts or one or more program modulesrunning on a computing system and/or (2) as interconnected machine logiccircuits or circuit modules within the computing system. Theimplementation is a matter of choice dependent on the performance andother requirements of the computing system. Accordingly, the logicaloperations described herein are referred to variously as states,operations, steps, structural devices, acts, or modules. These states,operations, steps, structural devices, acts, and modules may beimplemented in software, in firmware, in special purpose digital logic,and any combination thereof. Greater or fewer operations may beperformed than shown in the figures and described herein. Theseoperations also may be performed in a different order than thosedescribed herein.

Conclusion

The disclosure provided herein entails detecting and addressing changesmade to regulatory frameworks that affect (may affect) computing systemsof various entities. However, those of ordinary skill in the art shouldappreciate that aspects of the disclosure may be used in detecting andaddressing changes made to other regulatory instruments such asregulatory laws, regulations, standards, and/or the like that may alsoaffect computing systems of various entities in handling certain typesof data (e.g., target data).

While this specification contains many specific aspect details, theseshould not be construed as limitations on the scope of any invention orof what may be claimed, but as descriptions of features that may bespecific to particular aspects of particular inventions. Certainfeatures that are described in this specification in the context ofseparate aspects also may be implemented in combination in a singleaspect. Conversely, various features that are described in the contextof a single aspect also may be implemented in multiple aspectsseparately or in any suitable sub-combination. Moreover, althoughfeatures may be described above as acting in certain combinations andeven initially claimed as such, one or more features from a claimedcombination may in some cases be excised from the combination, and theclaimed combination may be a sub-combination or variation of asub-combination.

Similarly, while operations are described in a particular order, thisshould not be understood as requiring that such operations be performedin the particular order described or in sequential order, or that alldescribed operations be performed, to achieve desirable results. Incertain circumstances, multitasking and parallel processing may beadvantageous. Moreover, the separation of various components in thevarious aspects described above should not be understood as requiringsuch separation in all aspects, and the described program components(e.g., modules) and systems may be integrated together in a singlesoftware product or packaged into multiple software products.

Many modifications and other aspects of the disclosure will come to mindto one skilled in the art to which this disclosure pertains having thebenefit of the teachings presented in the foregoing descriptions and theassociated drawings. Therefore, it is to be understood that thedisclosure is not to be limited to the specific aspects disclosed andthat modifications and other aspects are intended to be included withinthe scope of the appended claims. Although specific terms are employedherein, they are used in a generic and descriptive sense only and notfor the purposes of limitation.

1. A method comprising: receiving, by computing hardware, a firstassessment dataset for computer-implemented functionality provided by avendor, wherein the computer-implemented functionality is integratedwith a computing system of a first entity; accessing, by the computinghardware, a second assessment dataset for the computer-implementedfunctionality provided by the vendor from a data repository that storesrisk assessment data on a plurality of computer-implementedfunctionality provided by different vendors; detecting, by the computinghardware, an inconsistency between a value of an attribute for thecomputer-implemented functionality that is specified in the firstassessment dataset and a corresponding value of the attribute that isspecified in the second assessment dataset; modifying, by the computinghardware, a risk rating to generate a modified risk rating for thevendor based on the inconsistency, wherein the modified risk ratingidentifies a risk to the first entity of having the computer-implementedfunctionality integrated with the computing system and the modified riskrating moves the vendor from a first risk tier for the first entity to asecond risk tier for the first entity; and responsive to moving thevendor to the second risk tier for the first entity, performing anaction with respect to the computing system of the first entity toaddress the modified risk rating, wherein the action is defined for thesecond risk tier for the first entity.
 2. The method of claim 1, whereinthe action comprises sending, by the computing hardware, an electronicnotification to personnel of the first entity that identifies theinconsistency and the attribute for the computer-implementedfunctionality.
 3. The method of claim 1, wherein the action comprisessending, by the computing hardware, an electronic notification topersonnel of the vendor that identifies the inconsistency and theattribute for the computer-implemented functionality.
 4. The method ofclaim 1, wherein the action comprises causing, by the computinghardware, the computer-implemented functionality to be disabled in thecomputing system.
 5. The method of claim 4, wherein: thecomputer-implemented functionality comprises a service provided by thevendor used by the computing system; integrating thecomputer-implemented functionality with the computing system comprisesinstalling an application programming interface (API) in the computingsystem to call the service; and disabling the computer-implementedfunctionality comprises disabling the API from calling the service. 6.The method of claim 1, wherein: the computer-implemented functionalityis integrated with a second computing system of a second entity that isdifferent from the first entity; the modified risk rating identifies arisk to the second entity of having the computer-implementedfunctionality integrated with the second computing system and themodified risk rating moves the vendor from a first risk tier for thesecond entity to a second risk tier for the second entity; and themethod further comprises, responsive to moving the vendor to the secondrisk tier for the second entity, performing a second action with respectto the second computing system of the second entity to address themodified risk rating, wherein the second action is defined for thesecond risk tier for the second entity.
 1. hod of claim 1, wherein: thecomputer-implemented functionality is integrated with a second computingsystem of a second entity that is different from the first entity; andthe method further comprises: modifying, by the computing hardware, asecond risk rating to generate a second modified risk rating for thevendor based on the inconsistency, wherein: the modified risk rating isunique to the first entity, the second modified risk rating is unique tothe second entity and identifies a risk to the second entity of havingthe computer-implemented functionality integrated with the secondcomputing system, and the second modified risk rating moves the vendorfrom a first risk tier for the second entity to a second risk tier forthe second entity; and responsive to moving the vendor to the secondrisk tier for the second entity, performing a second action with respectto the second computing system of the second entity to address thesecond modified risk rating, wherein the second action is defined forthe second risk tier for the second entity.
 8. The method of claim 1further comprising: identifying, by the computing hardware, the valuefor the attribute based on a mapping of a first question/answer pairingprovided in the first assessment dataset, wherein the firstquestion/answer pairing comprises a first question provided in a firstquestionnaire filled out by the vendor and a first answer provided bythe vendor to the first question, and the value comprises the firstanswer; and identifying, by the computing hardware, the correspondingvalue for the attribute based on a mapping of a second question/answerpairing provided in the second assessment dataset, wherein the secondquestion/answer pairing comprises a second question provided in a secondquestionnaire filled out by the vendor and a second answer provided bythe vendor to the second question, and the corresponding value comprisesthe second answer.
 9. A system comprising: a non-transitorycomputer-readable medium storing instructions; and a processing devicecommunicatively coupled to the non-transitory computer-readable medium,wherein, the processing device is configured to execute the instructionsand thereby perform operations comprising: accessing a first assessmentdataset and a second assessment dataset for computer-implementedfunctionality provided by a vendor from a data repository that storesrisk assessment data on a plurality of computer-implementedfunctionality provided by different vendors, wherein thecomputer-implemented functionality is integrated with a computing systemof a first entity; detecting an inconsistency between a value of anattribute for the computer-implemented functionality that is specifiedin the first assessment dataset and a corresponding value of theattribute that is specified in the second assessment dataset; modifyinga risk rating to generate a modified risk rating for the vendor based onthe inconsistency, wherein the modified risk rating identifies a changein risk to the first entity of having the computer-implementedfunctionality integrated with the computing system; and responsive tomodified risk rating, performing an action with respect to the computingsystem of the first entity to address the change in risk.
 10. The systemof claim 9, wherein the action comprises sending an electronicnotification to personnel of the first entity that identifies theinconsistency and the attribute for the computer-implementedfunctionality.
 11. The system of claim 9, wherein the action comprisessending an electronic notification to personnel of the vendor thatidentifies the inconsistency and the attribute for thecomputer-implemented functionality.
 12. The system of claim 9, whereinthe action comprises causing the computer-implemented functionality tobe disabled in the computing system.
 13. The system of claim 12,wherein: the computer-implemented functionality comprises a serviceprovided by the vendor used by the computing system; integrating thecomputer-implemented functionality with the computing system comprisesinstalling an application programming interface (API) in the computingsystem to call the service; and disabling the computer-implementedfunctionality comprises disabling the API from calling the service. 14.The system of claim 9, wherein: the computer-implemented functionalityis integrated with a second computing system of a second entity that isdifferent from the first entity; the modified risk rating identifies achange in risk to the second entity of having the computer-implementedfunctionality integrated with the second computing system and themodified risk rating moves the vendor from a first risk tier for thesecond entity to a second risk tier for the second entity; and theoperations further comprise, responsive to the modified risk rating,performing a second action with respect to the second computing systemof the second entity to address the change in risk to the second entity.15. The system of claim 9, wherein: the computer-implementedfunctionality is integrated with a second computing system of a secondentity that is different from the first entity; and the operationsfurther comprise: modifying a second risk rating to generate a secondmodified risk rating for the vendor based on the inconsistency, wherein:the modified risk rating is unique to the first entity, the secondmodified risk rating is unique to the second entity and identifies achange in risk to the second entity of having the computer-implementedfunctionality integrated with the second computing system; andresponsive to the second modified risk, performing a second action withrespect to the second computing system of the second entity to addressthe change in risk to the second entity.
 16. The system of claim 9,wherein the operations further comprise: identifying the value for theattribute based on a mapping of a first question/answer pairing providedin the first assessment dataset, wherein the first question/answerpairing comprises a first question provided in a first questionnairefilled out by the vendor and a first answer provided by the vendor tothe first question, and the value comprises the first answer; andidentifying the corresponding value for the attribute based on a mappingof a second question/answer pairing provided in the second assessmentdataset, wherein the second question/answer pairing comprises a secondquestion provided in a second questionnaire filled out by the vendor anda second answer provided by the vendor to the second question, and thecorresponding value comprises the second answer.
 17. A non-transitorycomputer-readable medium having program code that is stored thereon, theprogram code executable by one or more processing devices for performingoperations comprising: accessing a first assessment dataset and a secondassessment dataset for computer-implemented functionality provided bythe vendor from a data repository that stores risk assessment data on aplurality of computer-implemented functionality provided by differentvendors, wherein the computer-implemented functionality is integratedwith a computing system of a first entity; detecting an inconsistencybetween a value of an attribute for the computer-implementedfunctionality that is specified in the first assessment dataset and acorresponding value of the attribute that is specified in the secondassessment dataset; modifying a risk rating to generate a modified riskrating for the vendor based on the inconsistency, wherein the modifiedrisk rating identifies a risk to the first entity of having thecomputer-implemented functionality integrated with the computing systemand the modified risk rating moves the vendor from a first risk tier forthe first entity to a second risk tier for the first entity; andresponsive to moving the vendor to the second risk tier for the firstentity, performing an action with respect to the computing system of thefirst entity to address the modified risk rating, wherein the action isdefined for the second risk tier for the first entity.
 18. Thenon-transitory computer-readable medium of claim 17, wherein the actioncomprises sending an electronic notification to at least one ofpersonnel of the first entity or the vendor that identifies theinconsistency and the attribute for the computer-implementedfunctionality.
 19. The non-transitory computer-readable medium of claim17, wherein the action comprises causing the computer-implementedfunctionality to be disabled in the computing system.
 20. Thenon-transitory computer-readable medium of claim 19, wherein: thecomputer-implemented functionality comprises a service provided by thevendor used by the computing system; integrating thecomputer-implemented functionality with the computing system comprisesinstalling an application programming interface (API) in the computingsystem to call the service; and disabling the computer-implementedfunctionality comprises disabling the API from calling the service.